Ask questions on the official Q&A site at https://ask.datomic.com!
zendevil 2021-03-16T14:50:29.000800Z

hi @jaret @lanejo01 @alexmiller if you can still help me that would be great

jaret 2021-03-16T14:54:21.002500Z

Apologies @ps but I don't actively use lein. I'll take a look at this today if I get some time. is there a way you can test just running lein repl with your credentials sourced from the project directory to see if we can eliminate the profile null error you are getting via your current method?

zendevil 2021-03-16T14:55:34.003300Z

@jaret is there a way that the datomic api accepts access key and secret directly rather than through a profile?

zendevil 2021-03-16T14:55:51.003700Z

this would also be helpful to deploy on something like heroku

jaret 2021-03-16T15:12:45.008400Z

You can certainly source credentials or create env vars. But I don't recommend that you hard code a solution here. As Joe and others have mentioned you can supply a creds-profile/creds-provider option in your client config map, but you have to have those things configured.  Docs on credentials in AWS: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html. let me know the results of running lein repl from your project and if you can load your project namespaces with credentials sourced.


Just a friendly mention that there's a broken link on "Log API" in this section https://docs.datomic.com/on-prem/best-practices.html#use-log-api

joshkh 2021-03-16T18:41:02.014300Z

should i expect any downtime while deploying to a query group with a single node, which is serving a handler via http-direct?

Joe Lane 2021-03-16T18:42:46.014900Z

@joshkh Depends on if you set the max size of the QG to 1 vs the desired size.

joshkh 2021-03-16T18:43:13.015300Z

desired size is 1, max size is 4*

Joe Lane 2021-03-16T18:44:48.017Z

Then I believe any disruption should be minimal, not sure about your application specifics. That being said, why not just change the QG to size 2+ during the deployment and shrink it back down after?

joshkh 2021-03-16T18:48:26.019700Z

that's a possibility for sure. but before i script out the process in CI to spin up a second instance, wait for health checks, deploy and tear down, i'd like to confirm first that a small downtime is expected with a desired capacity 1, minimum query group instances 1, maximum query group instances 4, minimum number of query group instances during (CF) update 1.

joshkh 2021-03-16T18:52:11.021900Z

i would have thought the 1/4 split would temporarily scale the group. you have a good point about application specifics, perhaps something is delaying a response past the health check.

Joe Lane 2021-03-16T18:52:31.022200Z

You should test that scenario to see if it matches your needs and expectations. Have you done that already?

joshkh 2021-03-16T18:53:03.022700Z

yeah 🙂 asking only because it's something i've been experiencing

esp1 2021-03-16T21:44:11.026700Z

Is there a recommended way to provide private access to a Datomic Cloud application without exposing it to the internet? I'm trying to figure out how to give access to a an application I have deployed via Datomic Ions in a Production topology Datomic Cloud VPC to other users in our private AWS network. The Datomic instructions for setting up API Gateway HTTP Direct will route traffic over the external internet, which I'd like to avoid.

Joe Lane 2021-03-17T17:31:50.000400Z

Hi @esp1, we DO support this and have for quite some time. I'll make a quick playbook for how to do this and send it to you today or tomorrow. We will update our docs accordingly.

esp1 2021-03-17T18:11:20.000600Z

Great, thanks @lanejo01!

steveb8n 2021-03-18T07:20:52.000800Z

I do this by invoking the Ion Lambda using the AWS API. It was a bit tricky to get the request/response encoding right but, once done, it works great for internal Ion access

Joe Lane 2021-03-18T12:23:26.002100Z

He’s talking about http-direct though which will have much higher performance, especially in the same vpc.

Joe Lane 2021-03-19T14:02:19.030900Z

Let me know if you run into problems with that.

esp1 2021-03-19T20:40:33.069Z

Thanks @lanejo01! This is helpful, but I am actually interested in getting users that are logged in to our corporate AWS cloud through VPN access to the Datomic VPC - so they would be accessing it from outside the Datomic VPC, but inside our corporate AWS network. The two options I was exploring were: • Setting up peering/routing to the Datomic VPC directly • Using a private API Gateway endpoint

esp1 2021-03-19T20:42:13.069300Z

I can go the peering/routing way, but that would involve making changes to the Datomic VPC, and I was concerned that if I needed to update Datomic VPC via the CF templates those changes might be lost.

esp1 2021-03-19T20:44:20.070600Z

The private API GW endpoint seemed like it would be a solution that could be managed independently from the Datomic CF stacks, but I haven't set up one of these before and have been struggling with how to craft an appropriate resource policy to make it work.

jaret 2021-03-19T20:56:44.071500Z

We should work together on this in a support case ^ but I would recommend an API GW.

jaret 2021-03-19T20:57:24.071700Z

Can you throw me an e-mail at <mailto:support@cognitect.com|support@cognitect.com> and I will get together a recommended policy.

jaret 2021-03-19T20:57:58.071900Z

perhaps after I can add this to the docs.

esp1 2021-03-19T21:30:09.072100Z

Thanks @jaret, will do